Do not send e-mail to me!

TOTP Authentication

The Time-based One-Time Password algorithm (TOTP) is an algorithm capable of generating pseudo-random passwords through a shared private key. The algorithm is formalized by RFC 6238 for use in dual factor authentication.

 

The TOTP is a combination of the private key and the current time of the device that runs the algorithm. Therefore, two devices calculate exactly the same value if they have their clocks synchronized.

 

Means of transmission of the private key

 

The private key can be generated by various means such as base 32 or QRcode. Once a new secret is created, it can be sent by email or any other means of communication.

 

In case the private key is transmitted by QRcode, it is possible to format the content to make it easier to register on mobile devices. The most common TOTP format in QRcode is the Google Authenticator format:

otpauth://totp/[KEY NAME]?secret=[KEY SECRET, BASE 32]

Várias informações podem ser passadas no QRcode, para facilitar a identificação da chave no dispositivo.

This figure is an example of QRcode generated by this code:

otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example

Scanning of QRcode

QRcode, in Google format, can be read by the Google Authenticator mobile app. Google Authenticator can be obtained from Google Play or the Apple Store:

https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

https://itunes.apple.com/br/app/google-authenticator/id388497605?mt=8

Once installed, Google Authenticator will look like this on your phone.

To add a new private key, using a QRcode, simply click on “Add an account” and “Scan a barcode”.

The application will use the camera of the mobile. Adjust the viewfinder frame on the QRcode image until you hear the completion sound.

 

After you hear the sound, your key will be protected within the application. A new six-digit number will be generated every minute. This number will be the password used to authenticate access to the service.

SPFBL control panel authentication

To access the SPFBL control panel, enter the URL passed by the service administrator. You will see a screen with this appearance.

 

Solve reCAPTCHA and wait for the email with the QRcode of the TOTP private key.

The email will look like this in your mailbox. Scan the QRcode in your Google Authenticator, as explained above, and enter the number generated in the password field of the control panel authentication screen.

 

The control panel will record your authentication for seven days in your browser. After the browser authentication expires, the control panel will request the TOTP password again. Log in to your Google Authenticator and enter the new number.

Leandro Carlos Rodrigues

Bacharel em Ciência da Computação pela FEI